Closed mwild1 closed 2 years ago
The following code snippet can be used to test GCM encryption (it's based on the code originally posted as broken in #115):
local cipher = require "openssl.cipher"
local key = "abcdefghijklmnopabcdefghijklmnop"
local iv = "123456123456"
local message = "My secret message"
local c = cipher.new("aes-256-gcm"):encrypt(key, iv);
local encrypted = c:update(message)
assert(c:final());
local tag = assert(c:getTag(16));
print("Encrypted to "..#encrypted.." bytes with "..#tag.."-byte tag");
-- Now for the decryption
local aes = cipher.new("aes-256-gcm"):decrypt(key, iv)
-- Provide the expected authentication tag to OpenSSL
aes:setTag(tag);
local decrypted = aes:update(encrypted)
print(decrypted)
print(aes:final())
CCM can be tested by changing c:getTag(16)
to c:getTag(12)
and obviously changing -gcm
to -ccm
in the cipher name.
The following code snippet ...
Could you add this as a regression test?
Regression test added in https://github.com/wahern/luaossl/pull/201/commits/e402818ccc91f3ec97641d08d8c64f60fec55580
Merged with bed73b66dee1dde0bfa5a658cf109457c3f70b46
@mwild1 I'm only running your regression tests now, and I get:
$ lua 115-test-aead.lua
lua: 115-test-aead.lua:12: bad argument #2 to 'encrypt' (12: invalid IV length (should be 7))
stack traceback:
[C]: in method 'encrypt'
115-test-aead.lua:12: in function 'test_aead'
115-test-aead.lua:36: in main chunk
[C]: in ?
Well that's interesting. The test passes fine for me as-is. If I change the IV length to 7, I get:
lua: 115-test-aead.lua:12: bad argument #2 to 'encrypt' (7: invalid IV length (should be 12))
stack traceback:
[C]: in function 'encrypt'
115-test-aead.lua:12: in function 'test_aead'
115-test-aead.lua:37: in main chunk
[C]: in ?
This is with OpenSSL 1.1.1.
Although I can't find it now, I vaguely recall some documentation that indicated the iv_length() function was not reliable for ciphers that accept IVs of variable/multiple lengths.
My guess is that maybe the default IV length has changed between versions. Out of curiosity, what version was your result with?
Some further reading:
So in 1.1.1+ if we explicitly set the IV length (which might be sensible anyway if the default varies between versions) then this issue should go away. But if we want backwards-compatibility with pre-1.1.1, I guess we need to skip this check for these ciphers.
If I change the IV length to 7, I get:
lua: 115-test-aead.lua:12: bad argument #2 to 'encrypt' (7: invalid IV length (should be 12)) stack traceback: [C]: in function 'encrypt' 115-test-aead.lua:12: in function 'test_aead' 115-test-aead.lua:37: in main chunk [C]: in ?
Me too:
$ git diff
diff --git a/regress/115-test-aead.lua b/regress/115-test-aead.lua
index ed0f7f8..5026ce1 100644
--- a/regress/115-test-aead.lua
+++ b/regress/115-test-aead.lua
@@ -5,7 +5,7 @@ local cipher = require "openssl.cipher"
-- Test AES-256-GCM
local key = "abcdefghijklmnopabcdefghijklmnop"
-local iv = "123456123456"
+local iv = "1234561"
local message = "My secret message"
function test_aead(params)
$ lua 115-test-aead.lua
lua: 115-test-aead.lua:12: bad argument #2 to 'encrypt' (7: invalid IV length (should be 12))
stack traceback:
[C]: in method 'encrypt'
115-test-aead.lua:12: in function 'test_aead'
115-test-aead.lua:31: in main chunk
[C]: in ?
Out of curiosity, what version was your result with?
$ openssl version
OpenSSL 1.1.1p 21 Jun 2022
So in 1.1.1+ if we explicitly set the IV length (which might be sensible anyway if the default varies between versions) then this issue should go away.
I'm running new enough that the fix you mentioned should be in. I guess it's something else...
oh; I only just noticed the line number in the stack trace: the error moves from 36 to 31 when the IV changes length.
So I guess for aes-256-gcm
it wants 12; but for aes-256-ccm
it wants 7? or some variable length where it's currently initialised to 7?
Yeah, I made these changes for testing:
diff --git a/regress/115-test-aead.lua b/regress/115-test-aead.lua
index ed0f7f8..febea2d 100644
--- a/regress/115-test-aead.lua
+++ b/regress/115-test-aead.lua
@@ -9,7 +9,7 @@ local iv = "123456123456"
local message = "My secret message"
function test_aead(params)
- local c = cipher.new(params.cipher):encrypt(key, iv)
+ local c = cipher.new(params.cipher):encrypt(key, params.iv)
local encrypted = c:update(message)
regress.check(encrypted)
@@ -31,9 +31,11 @@ end
test_aead {
cipher = "aes-256-gcm";
tag_length = 16;
+ iv = iv;
}
test_aead {
cipher = "aes-256-ccm";
tag_length = 12;
+ iv = iv:sub(1, 7);
}
@mwild1 how about https://github.com/wahern/luaossl/pull/202 ?
See https://github.com/wahern/luaossl/issues/115#issuecomment-1138846788 for context.